Friday, 17 April 2009

Ironkey: secure USB stick, surfing? - review






This is a review of the Ironkey Personal secure USB flash drive.

Many people use USB sticks or memory sticks, also called USB keys, thumb drives, flash drives and the like, for portable storage or transport of data from computers.

But they can be used to store confidential or sensitive information, e.g. copied from government databases by government employees, and are unfortunately all too easy to lose or steal (e.g. with info on suspected terrorists, vehicles of interest to the police, RAF personnel and NHS patient’s medical/personal details) - yet often they are allowed by UK government departments to be used unencrypted, despite a few recent improvements.

Is something like an Ironkey secure memory stick the answer?

It’s supposed to work on Mac and Linux as well as Windows (just for encrypted storage), and I bought an Ironkey Personal unit about a year ago, because it claimed to offer:

  1. hardware-based encryption of the files on the stick (using AES encryption) with military-grade waterproofing / shock resistance, and
  2. secure surfing with Portable Firefox (what they call “internet protection” – it’s only “free” i.e. included in the original price for a year; after that you have to pay an ongoing subscription).

It certainly cost enough, at an eye-watering £80. Well OK, it cost less than a Ferrari, granted, but considering that you can get USB drives with far greater capacity for under a tenner, you want to be sure you’re getting your money’s worth. And in my case, I don’t think I did.

Verdict

My view? Unless perhaps you’re a government department, don’t buy an Ironkey - except maybe for encrypted storage of any sensitive passwords (Personal or Enterprise versions) or files (Basic version) you might want to carry around with you (and even then, you can encrypt files or store passwords securely on a normal price USB thumb drive for free using the excellent open source TrueCrypt software, although it seems you need administrator rights on the computer you plug it into – I’ve not used TrueCrypt enough, myself, and will report further when I have).

I should say that I was also frustrated that I’d bought the Ironkey on the basis that they’d promised Linux support would be forthcoming. New models released just after I bought mine did support Linux, but it took Ironkey forever to roll out upgrades enabling existing units to support Linux.

Secure web browsing?

I’d wanted to use the Ironkey for secure surfing too, e.g. plugging it into a public computer in a public library or internet cafe and then surfing the web via portable Firefox i the unit, but in my view it wasn’t fit for that purpose because:

  1. At least in all the London libraries / cafes I tried, it doesn’t work – they lock things down so you can’t use Portable Firefox on the Ironkey
  2. The point of security is, well, security. Browsers ought to be upgraded as and when browser security updates are issued. If Ironkey really cared about security they would immediately provide upgrades for the browsers built into their units as soon as security updates were made available. But for months after major Firefox security upgrades were released last year, you couldn’t download security upgrades for the browser on the Ironkey. Maybe you can now, but I’ve stopped asking Ironkey or looking on Ironkey’s site. I can’t use the browser anyway, see the previous point.

Also, their secure web sessions are based on but claimed to be much faster than Tor – being routed through Ironkey’s own computers, hence the periodic subscription fee. Whether you trust the security and anonymity of things going through their routers (they’re headquartered in California) is of course up to you.

Features

For those interested (but really I’d suggest you save your money), the Ironkey:

  1. comes in a nice strong shiny metal case
  2. requires a password to access its contents, and physically “self destructs” internally if the wrong password is tried too many times
  3. (Personal and Enterprise editions only) includes a password manager which enters your saved passwords for you (make sure you’re keylogger free first!) – that’s actually the only use I’d see for it, myself
  4. (Personal and Enterprise editions) lets you backup your passwords to the Ironkey site, and yes I know, you have to trust how they say it works
  5. enables some portable applications to be run from the drive.

See their FAQs for more info, and their user guide for Personal, and comparative chart of their 3 models (Enterprise, Personal, Basic).

10 comments:

Owen Nash said...

There is another aspect of IronKey I find quite troubling. They tout their own integrity as a security feature, yet grossly misrepresent the product in order to dupe customers. IronKey states, for example:

“IronKey has numerous patent-pending technology innovations that leverage the power of the on-board crypto processor to enable anti-malware protection in the hardware on the IronKey device to protect data and networks without requiring the installation and operation of software or drivers on host computers.”

This implies (if not explicitly states) that the on-board “crypto processor” runs antivirus software without involving the host computer’s CPU. This is ludicrous; it does nothing of the sort.

Their antivirus executable file resides on the device, and is loaded into the pc’s memory like a normal, installed antivirus program. But unlike an installed antivirus program, it cannot integrate with browser and email operations (likely sources of virus) because doing this requires an installed antivirus program that is invoked at boot time.

If their portable antivirus app prevents Conficker, it does so because it has a virus signature for Conficker, just like every other installed or portable antivirus product did, once the Conficker signature was identified.

This is very disingenuous advertising for a firm making a security product.

Improbulus said...

Thanks for the comment Owen, interesting. I checked the Ironkey site and for anyone who wants to know the original Ironkey statement he mentions is on this page under the subheading "Real-time anti-malware scanning" towards the end. That page has more info from Ironkey about their anti-malware component.

Anonymous said...

Improbulus,

It sounds like you got a pretty early version of the IronKey Personal device. IronKey's had the downloadable update for Linux and Mac support available since 2008.

Certainly as an early company, we underestimated the difficulty of providing the software and firmware updates. We've come a long way in our engineering team, and are now providing updates in a very timely fashion. In fact, we provided 2 updates just last week.

We fully support FireFox 3 and all it's updates are available in realtime as they are released.

For Owen, let me clarify how the anti-malware capabilities work on the IronKey Enterprise product. The crypto processor and on-board software actually do prevent malware from creating malicious autorun files. They check them before the secure volume is mounted to the PC. We also periodically check and repair while unlocked.

Malicious autorun is the main way that Conficker.C spreads to and from USB drives. Its also the way that Agent.bz spreads.

The cryptochip processor also implements a hardware read-only mode that you can use if plugging into untrusted computers.

In addition, you are correct, we have antimalware scanners that use the host PCs cpu to scan. In the future we're looking at running AV on the device itself.

Sorry if our statement didn't fully explain how it works. The crypto processor does actually provide an important level of anti-malware protection.

Dave @ IronKey

Improbulus said...

Thanks for your comment Dave.

The update for Linux was only available in very late 2008, and no updates for Firefox were provided for my version of the Ironky for months. I'm glad you are trying to be quicker with update releases now.

Anonymous said...

What about what they say at http://kyps.net/home/comparison about using portable apps on usb sticks? This doesn't sound like such a great idea after all....

Iggy Bop said...

They have good stuff. I personally prefer SanDisk's Secure USB Drives much better though but I guess it's a matter of personal taste.

Gurudatt Shenoy said...

Iron Key is no doubt cool stuff with backing from VeriSign, RSA and others.

Yet, we have found as in the Kingston drives which were hacked into recently that hackers find a way to get through even the most secure gadget out there.

A USB Drive from IronKey is easily identifiable as a security key and then someone might just know how to get around it. I have worked in the smart card industry and know how easy it is to get around smartcards using proprietary encryption and storage.

The solution lies not in technical but logical implementation of security. What this means in plain speak is making the task of the hacker difficult in cracking a encryption method.

The first step for this is that the device should not be easily identifiable. When you use a device such as Kingston or Iron Key or SecureID from RSA, any experienced hacker will know what to do next.

But if the user has a device that has no markings or any indication that this is a security key, then most hackers might just ignore it.

The second logical thing is not to store anything on the device itself. Once you store passwords on a device no matter how you encrypt it there is always a possibility of decryption and that defeats the entire security part of the deal.

Third thing is there should not be any passwords at all. So that there is nothing to hack.

We at EasySecured have developed such a technology where anyone can convert a commonly available USB Drive into a security key and lock their online accounts or data.

And it comes FREE to the end user.

Anonymous said...

if your main concern is the security of your usb drive's files, then the ironkey should satisfy your needs (albeit at enormous cost). however, if you're interested in the anonymous internet browsing feature (i.e., SecureSessions), forget this product and look elsewhere. securesessions is extremely buggy and, more often than not, it stops working after 5-10 minutes. when it stops working, the "fix" supplied by ironkey involves:

first, closing firefox, then, disabling secure sessions through the ironkey control panel, then, deleting certain hidden files on the drive, then, locking the drive, then, unlocking the drive (which requires re-entering your password), then, re-enabling secure sessions through the ironkey control panel, and, finally, re-starting firefox.

this tedious 5-10 minute process will usually get you about another 5-10 minutes of secure browsing before secure sessions stops working again. after going through this numerous times, i just gave up and stopped using secure sessions all together. it is too unstable and unpredictable.

to be fair, there were occasionally days in which secure sessions worked for many hours without a hitch, but these days were the rare exception rather than the rule. furthermore, ironkey support was totally useless in remedying this problem. they are aware of the problem, but, aside from the laborious fix described above, they were -- and still are (after 6+ months and two updates) -- dumbfounded by it.

i was extremely disappointed with this product and, in hindsight, wish i'd saved the $$$, bought a subscription (for far less money) to any one of the numerous other available proxy services (that work!), and just used free software to encrypt my files (e.g., truecrypt, 7-zip, etc.).

Max said...

Like you mentioned in the article, Iornkey might be a bit overkill for the average user. Another free application is called USB Safe Guard. It encrypts the data like TruCrypt, but it also self destructs the data on the usb stick if an incorrect password is entered to many times.

Security, holly wood style!

Anonymous said...

Obviously most of you people giving negative comments are novice or rookie security experts. Go download truecrypt - ignorance is bliss.